Section 1: Introduction to Open Source Software Security and Maintenance #
What are Open Source Software Security and Maintenance? #
As one software security expert puts it, “unlike wine and cheese, software does not get better with age – in fact, its security strength decreases over time. This is because of software obsolescence.”1 When it comes to open source software, security and maintenance go hand-in-hand.
Open source software security is about “maintain[ing] the confidentiality, integrity, and availability of information resources in order to enable successful business operations.”2
Open source software maintenance is about keeping software functioning properly and preventing it from becoming obsolete.
Maintenance is critical, and failing to invest adequately in it carries “hidden costs”: direct costs associated with exploitation of security vulnerabilities and subsequent loss of functionality and indirect costs resulting from (among other things) the “loss of qualified labor and slower growth and innovation.”3
Proprietary vs. Open Source Software Security and Maintenance #
There is a common misconception that open source software is less secure than conventional proprietary software. With proprietary software, maintenance is the responsibility of the vendor. Additionally, with conventional proprietary software, service agreements also usually include assurances in the form of liability and warranty clauses. This contributes to the assumption that it is more secure.
By contrast, with open source software, the responsibility for maintenance is more diffuse and ultimately relies on the community of users. However, this fact does not mean that open source software is less secure. One report found that 89% of large IT firm executives believed open source software to be as secure as proprietary software.4 In short, “licensing models have nothing to do with security.”5
Software and Privacy in the Digital Age #
Governments, by their very nature, generate and use large amounts of personally-identifiable information about their residents in order to administer programs and services and make informed policy decisions.
Virtually all personally-identifiable information nowadays is in digital form, which makes it much more efficient to manage through its lifecycle using an array of software applications, but also makes it more vulnerable to attack. Even non-personally identifiable information can be pieced together to build up an accurate profile of an individual – including their location, habits and preferences.6
Privacy is considered a foundational component of freedom in our society.7 Personally identifiable information stored in an improperly secured location – whether it is on a local server or in the cloud – is vulnerable to privacy breaches. For this reason, safeguarding information – including personally identifiable information – must be a key priority when considering the security of both conventional proprietary and open source software.
Chris Romeo, “A Security Practitioner’s Guide to Software Obsolescence”, TechBeacon, accessed September 29, 2022. ↩︎
Keith Turpin, “Secure Coding Practices - Quick Reference Guide”, (OWASP Foundation, 2010), 4. ↩︎
Nadia Eghbal, “Roads and Bridges: The Unseen Labor Behind Our Digital Infrastructure”, (Ford Foundation, 2016), 77. ↩︎
Liam Tung, “Open Source Security Fears Are Fading Away”, ZDNET, March 3, 2022. ↩︎
Rafael Laguna, “4 Myths About Open Source We Should Put to Rest | WIRED”, March 2013. ↩︎
Canadian Centre for Cyber Security, “National Cyber Threat Assessment 2020” (Government of Canada, 2020). ↩︎
Office of the Privacy Commissioner of Canada, “A Data Privacy Day Conversation with Canada’s Privacy Commissioner”, February 5, 2020. ↩︎